Experts from the US Government have for the first time joined counterparts from EU Member States to simulate how cyber security authorities on both sides of the Atlantic cooperate in response to cyber attacks.
Two hypothetical scenarios were tested under the Cyber Atlantic 2011 exercise earlier this month: a cyber-attack which attempts to extract and publish online sensitive information from the EU’s national cyber security agencies, and an attack on supervisory control and data acquisition (SCADA) systems in EU power generation equipment, the European Commission reports.
Neelie Kroes, European Commission Vice-President for the Digital Agenda said: “Recent high profile cyber-attacks show that global threats need global action. Today’s exercise provides valuable lessons for specialists on both sides of the Atlantic.”
Sony Playstation, the EU Emissions Trading Scheme, European Commission and European External Action Service have all been subject to cyber-attacks in recent months.
In practical terms, the EU contribution to Cyber Atlantic 2011 has been enabled by the European Commission, with key support from ENISA, the European Network and Information Security Agency, which has facilitated the exercise with the vital technical contributions provided by EU member states. The Department of Homeland Security has been in the lead for the US. The EU CERT also participated as an observer.
Cyber Atlantic 2011 grew out of the EU-US Working Group on Cyber-security and Cyber-crime, which was established in November 2010 to tackle new threats to global networks. Initial findings of the exercise will be taken into account in the Working Group’s report which will be presented to the EU-US Summit later this year.
The Cyber Atlantic 2011 exercise was based on two hypothetical scenarios. In the first scenario, various EU National Cyber Security Agencies (NCSAs) were confronted with what is known as an Advanced Persistence Threat (APT). Under this scenario, a hacker group, active for several years, launched a sophisticated and targeted cyber-attack to extract sensitive information from the victims, and publish this data online. Several cyber security agencies had been monitoring the group closely for more than a year. This surveillance led to cooperation between some European countries which succeeded in fighting off the attack. The US followed this incident and cooperated with the affected countries fearing that it may also be targeted.
The second scenario was based on (SCADA) system failure in an EU wind turbine. SCADA systems monitor and control processes in essential systems like water treatment and distribution, oil and gas pipelines, electrical power transmission and distribution, wind farms, civil defence siren systems, and large communications systems. This infrastructure failure, and the fact that US companies provide a significant percentage of SCADA equipment and software to Europe, led the EU to request coordination with American partners.
At the November 2010 EU-US summit in Lisbon EU and US leaders agreed to establish an EU-US Working Group on Cyber-security and Cyber-crime.
Lessons learned from last year’s first pan-European exercise, “Cyber Europe 2010” where experts across Europe tested their responses to a simulated attack from hackers on a critical online service have fed into Cyber Atlantic 2011.
On Monday the Pentagon’s advanced research arm said it is boosting efforts to build offensive cyber arms for possible keyboard-launched U.S. military attacks against enemy targets.
The military needs “more and better options” to meet cyber threats to a growing range of industrial and other systems controlled by computers vulnerable to penetration, including cars, Regina Dugan, director of the Defense Advanced Research Projects Agency, told a first-of-its kind conference.
“Modern warfare will demand the effective use of cyber, kinetic and combined cyber and kinetic means,” she said. Kinetic is military parlance for traditional ways of fighting such as dropping bombs, firing missiles and rolling tanks in.
Dugan’s agency, known as DARPA, opened the session to what it called “visionary hackers” as well as academics and others in an effort to “change the dynamic of cyber defense” amid mounting U.S. concern over vulnerabilities of networks and computer-controlled hardware.
The Office of the National Counterintelligence Executive, a U.S. government body, said in a report to Congress last week that China and Russia are using cyber espionage to steal U.S. trade and technology secrets to bolster their fortunes at U.S. expense.
DARPA officials told the session that a recent in-house analysis had found that layered U.S. defenses alone, as currently configured, were a losing proposition because of a cyber attacker’s lopsided advantage.
The cost of creating software security packages, some now involving up to 10 million lines of code, has soared in the past 20 years, the agency’s survey found, while malicious software still requires only 125 lines on average.
“This is not to suggest that we stop doing what we are doing in cyber security,” Dugan told an audience of about 700 in a hotel ballroom outside Washington. “But if we continue only down the current path, we will not converge with the threat,” meaning deal effectively with it.
DARPA’s mission is to maintain the U.S. military’s technology edge and prevent a high-tech surprise by sponsoring high-payoff research with military applications.
“Malicious cyber attacks are not merely an existential threat to our bits and bytes. They are a real threat to our physical systems, including our military systems,” Dugan said.
U.S. officials stepped up warnings about possible destructive cyber attacks after the computer virus Stuxnet emerged in 2010, disrupting centrifuges that Iran uses to enrich uranium for what the United States and some European nations have charged is a covert nuclear weapons program.
Daniel Roelker, a DARPA project manager who works on offensive cyber weapons, said the Pentagon needed technological breakthroughs to be able to fight at the speed of light in cyberspace.
The United States and unspecified “adversaries” are locked in a struggle in cyberspace, said another program manager, Timothy Fraser. “Their costs are very low, and our costs are very high,” he said.
Modern cars’ brakes, accelerators and steering were among the systems that “we need to worry about” because they could be hacked by tapping into their diagnostic boards, even remotely, Kathleen Fisher, a third program manager said.
The DARPA budget request for fiscal 2012, which began October 1, called for its cyber research funding to jump more than 73 percent to US$208 million from US$120 million.
The agency plans to boost its investment in cyber research over the next five years to 12 percent of its budget from 8 percent even as overall U.S. military-related spending is set to decline As part of deficit cutting.
DARPA “has a special responsibility to explore the outer bounds of such capabilities so that our nation is well prepared for future challenges,” Dugan said, citing its role in creating Arpanet in the 1960s, forerunner of the Internet.
U.S. officials have declined to discuss publicly U.S. offensive capabilities in cyberspace. One key concern is whether the United States can defend against possible retaliatory cyber attacks that might target such things as transportation, banking systems and power grids.
James Miller, principal deputy undersecretary of Defense for policy, told a separate event hosted by the Center for Strategic and International Studies that the United States had a “full spectrum of cyber capabilities,” by implication including existing cyber weapons.